June Patch Tuesday is upon us. There has been a lot of activity in the past few weeks. Mid-May was the Pwn2Own Berlin 2025 event, and the $1M USD in rewards that were paid out came with many newly discovered vulnerabilities affecting Microsoft, Google, Mozilla, VMware, NVIDIA, Oracle and other vendors. Since the event, there have been several updates from many of these vendors, so expect a lot of third-party updates to update this month from releases leading up to Patch Tuesday.

Microsoft released updates resolving 66 CVEs, nine of which are rated Critical. In addition, there is one public disclosure and one zero-day exploit. Updates this month affect Windows, Office, SharePoint, Visual Studio, and .Net. The zero day and public disclosure are both resolved by the Windows OS update this month.

Third-party updates from Mozilla, Google (including two recent zero-day exploits) and Adobe leading up to Patch Tuesday will add to the load. If your organization is updating applications like browsers on a weekly basis to keep up with continuous release applications commonly used to target end users, you should be up to date on all but Adobe. If not, you will want to ensure to get these queued up for your patch maintenance.

Microsoft exploited vulnerabilities

Microsoft has resolved a Remote Code Execution vulnerability in Web Distributed Authoring and Versioning (WEBDAV) (CVE-2025–33053) which Microsoft has confirmed to be exploited in the wild. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. Risk-based prioritization would treat this as Critical.

Microsoft’s publicly disclosed vulnerabilities

Microsoft has resolved an Elevation of Privilege vulnerability in Windows SMB Client (CVE-2025–33073), which Microsoft has confirmed is publicly disclosed. Microsoft rates the CVE as Important and it has a CVSS v3.1 score of 8.8. The code maturity is Proof-of-Concept and the vulnerability is remotely exploitable, which will make this a desirable target for threat actors. A risk-based prioritization methodology would warrant treating this as Critical.

Third-party vulnerabilities

Google Chrome continues their weekly security update cadence. Expect a Chrome update this week to add to the four releases and 14 CVEs resolved since May Patch Tuesday. This includes two zero-day exploits resolved in the past few weeks (CVE-2025–5419 and CVE-2025–4664).

Mozilla has released multiple security updates since the Pwn2Own Berlin event. The two CVEs exploited in the event were resolved in the May 17 release (Firefox 138.0.4) and since then, Mozilla has released Firefox 139 and 139.0.4, as well as updates for Firefox ESR and Thunderbird. Ensure you have the latest Mozilla updates queued up this Patch Tuesday.

Adobe has released updates for Acrobat Reader and six other products, resolving 259 CVEs. 225 of these were included in the Experience Manager update, with hefty contributions from a handful of diligent security researchers.

Ivanti security advisory

Ivanti has released one update for June Patch Tuesday resolving a total of three CVEs. The affected product is Ivanti Workspace Control.

For more details you can view the updates and information provided in the June Security Update on the Ivanti blog.

June update priorities

  • The Windows OS is the top priority this month with one zero-day exploit (CVE-2025–33053) and one public disclosure (CVE-2025–33073).
  • Google Chrome should be a top priority if you have not deployed updates for June 2 and earlier, as it will resolve two zero-day exploits (CVE-2025–5419 and CVE-2025–4664).
  • Browsers in general should be updated weekly to keep up with the continuous release cycle. Edge, Chrome and Firefox received multiple updates since May Patch Tuesday, including multiple high-profile disclosures and zero-day exploits.